How the Hack at a Florida Water Treatment Plant Affects All Organizations in the Public Sector
Adopting a password manager may now be a matter of public health and safety.
The February hack of the water treatment plant in Oldsmar, Florida, emphasized the challenges that public sector organizations face when it comes to cybersecurity. They often don’t have the resources to invest in effective defenses, yet they’re an easy target for opportunistic threat actors.
Securing access to critical assets and systems is often much simpler—and much more affordable—than organizations in the public and critical infrastructure sectors may realize. Whether you’re an IT admin or security manager at a local government agency or a utility provider, you should view Oldsmar’s close call as an opportunity to reevaluate your own approach to organizational security.
What happened in the Florida water treatment facility incident?
On February 5th, unidentified actors gained access to the water treatment plant system in the small town of Oldsmar twice. They used remote-access software to log into the plant’s supervisory control and data acquisition (SCADA) software, which controls the water treatment process.
The hackers tried to poison the water supply by drastically increasing the amount of the caustic chemical sodium hydroxide. Luckily, the utility provider’s staff quickly noticed that the system was being manipulated and thwarted the attempt.
Details on how the hackers took control are still surfacing, as the case is under investigation. What we do know is that all the staff computers were connected to the SCADA system, ran on Windows 7 (which Microsoft stopped supporting with security updates in January 2020), and were accessed with a shared password for remote access while being connected directly to the internet with no firewall.
Unfortunately, unsecurely shared passwords are a common problem in remote environments. Using the same password for multiple employees doesn’t just put organizations at risk of a breach if the password is compromised. It also makes it difficult to investigate security incidents, which can be a matter of public health and safety for public and critical infrastructure sectors. Shared passwords also play into the hands of malicious insiders who want to cover their tracks. Some security experts believe that the Florida hack was, indeed, an insider job.
But it doesn’t just have to be a shared password that compromises organizations responsible for public health and safety. In 2018, Hawaii’s missile alert agency became famous after it broadcasted a false missile warning to islanders, which it blamed on an employee who pushed a wrong button. Shortly after, however, a newspaper photograph from several months before came into the spotlight: It showed an operations officer from the company—and a sticky note with a legible password in the background. While there’s no evidence that the photographed password contributed to the missile alert, the agency’s reputation suffered and its security practices came into question.
What does the hack mean to other critical infrastructure sector providers?
In July 2020, the Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory for organizations with operational technology (OT) and critical systems. The advisory warned that cyber actors have been conducting malicious activities against critical infrastructure by exploiting operational technology assets that were accessible via the internet.
The problem is not limited to OT, however. IT is just as much a target. In the last couple of years, government agencies all across the world have experienced data breaches. In many cases, their constituents’ sensitive data was exposed or ended up on the dark web.
Just last week, Jamaica's immigration website exposed thousands of travelers’ data after a cloud storage server storing over 425,000 immigration records and 70,000 negative COVID-19 test results were left unprotected and without a password. How did this happen? The data was stored on a server hosted on Amazon Web Services set to public.
The pandemic drastically changed the IT and OT landscape, adding new layers to the problem. Remote access became a growing concern because many organizations, in the public and the commercial sectors alike, were not prepared for the new security risks.
Remote access—whether for collaborating with teams or monitoring and controlling critical systems—is the new normal in the hybrid workplace. What this means for public agencies and other providers is that security needs to evolve too.
What can public and critical infrastructure sectors do?
Since threat actors constantly adapt to new trends to exploit potential weakness, you need to understand all the new risks. CISA’s recommended mitigations for OT—which also apply to IT—include creating a resilience plan and hardening the systems using best practices.
When it comes to securing user accounts and passwords, CISA recommends steps such as:
- Enforcing a strong password security policy
- Requiring a periodic change of passwords
- Prohibiting default passwords on devices
- Implementing and enforcing two-factor authentication
Adopting a password manager can help you follow these best practices in your workplace. And the good news is, they’re simple to implement and use. They’re also cost-effective for organizations of all sizes, including those with limited resources.
How can Dashlane help?
Dashlane’s password manager not only helps you enforce the recommended password practices but also gives you the tools to understand—and improve—your organization’s password health over time.
Learn more about why passwords are the weak link and find out how a simple solution can make a big difference.
Sign up to receive news and updates about Dashlane